feat: add velero package (#210)

## Description
Adds a Velero package to support deploying a backup utility as part of
uds-core.

---------

Co-authored-by: Megamind <882485+jeff-mccoy@users.noreply.github.com>
Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com>

README.md

@@ -16,12 +16,12 @@ UDS Core establishes a secure baseline for cloud-native systems and ships with c
 - [Pepr](https://pepr.dev) - UDS policy engine & operator
 - [Prometheus Stack](https://github.com/prometheus-operator/kube-prometheus) - Monitoring
 - [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) - Log Aggregation
+- [Velero](https://velero.io/) - Backup & Restore
 
 #### Future Applications
 
 - [Kiali](https://kiali.io/) - Service Mesh Observability
 - [Tempo](https://grafana.com/docs/tempo/latest/getting-started/) - Tracing
-- [Velero](https://velero.io/) - Backup & Restore
 
 ---
 

packages/standard/zarf.yaml

@@ -89,3 +89,9 @@ components:
     required: true
     import:
       path: ../../src/authservice
+
+  # Velero
+  - name: velero
+    required: true
+    import:
+      path: ../../src/velero

src/velero/README.md

@@ -1 +1,99 @@
 ## Velero
+
+https://velero.io/
+
+## Deployment Prerequisites
+
+### Resources
+
+- k3d installed on machine
+
+#### Object Storage
+
+S3 compatible object storage must be available in order to use this package. Bucket information and access credentials can be provided via configuration values / env vars:
+
+- Bucket ID: `ZARF_VAR_VELERO_BUCKET`
+- Bucket Region: `ZARF_VAR_VELERO_BUCKET_REGION`
+- Bucket Provider URL: `ZARF_VAR_VELERO_BUCKET_PROVIDER_URL`
+- Access Key: `ZARF_VAR_VELERO_BUCKET_KEY`
+- Access Key Secret: `ZARF_VAR_VELERO_BUCKET_KEY_SECRET`
+
+As an alternative to providing the access key and secret via variable, you can reference a secret with the following format
+```
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ###ZARF_VAR_VELERO_BUCKET_CREDENTIALS_SECRET###
+  namespace: velero
+type: kubernetes.io/opaque
+stringData:
+  cloud: |-
+    [default]
+    aws_access_key_id=###ZARF_VAR_ACCESS_KEY###
+    aws_secret_access_key=###ZARF_VAR_SECRET_KEY###
+```
+
+By overriding the velero values in the bundle as follows:
+```
+  - name: core
+    overrides:
+      velero:
+        velero:
+          values:
+            - path: "credentials.existingSecret"
+              value: "velero-bucket-credentials"
+```
+
+## Plugin Compatability
+This package currently assumes the availability of S3 API compatible object storage. As such, only the AWS specific plugin image is included. More information about all available plugins [can be found in the upstream docs](https://velero.io/plugins/). Ironbank includes images for Azure and the generic CSI driver, but those are currently excluded from this package. We may revisit package defaults at some point in the future depending on usage and user requests.
+
+## Deploy
+
+### Build and Deploy Everything locally via UDS tasks
+
+```bash
+# build the bundle for testing
+UDS_PKG=velero uds run create-single-package
+
+# setup a k3d test env
+uds run setup-test-cluster
+
+# deploy the bundle
+UDS_PKG=velero uds run deploy-single-package
+```
+
+### Test the package via UDS tasks
+Running the following will check that the velero deployment exists in the cluster and attempt to execute a backup:
+```bash
+uds run -f src/velero/tasks.yaml validate
+```
+> Alternatively, you can combine package creation, cluster setup, package deploy and the test command with a simple `UDS_PKG=velero uds run test-single-package`
+
+## Manually trigger the default backup for testing purposes
+```
+velero backup create --from-schedule velero-udsbackup -n velero
+```
+> NOTE: requires [the velero CLI](https://velero.io/docs/v1.3.0/velero-install/)
+
+Alternatively, manually create a `backup` object with `kubectl`:
+```bash
+uds zarf tools kubectl apply -f - <<-EOF
+  apiVersion: velero.io/v1
+  kind: Backup
+  metadata:
+    name: test-backup
+    namespace: velero
+  spec:
+    csiSnapshotTimeout: 0s
+    excludedNamespaces:
+    - kube-system
+    - flux
+    - velero
+    hooks: {}
+    includeClusterResources: true
+    itemOperationTimeout: 0s
+    metadata: {}
+    snapshotVolumes: false
+    ttl: 240h0m0s
+EOF
+```

src/velero/chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

src/velero/chart/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: uds-velero-config
+description: Velero configuration for UDS
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0

src/velero/chart/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "uds-velero-config.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "uds-velero-config.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "uds-velero-config.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "uds-velero-config.labels" -}}
+helm.sh/chart: {{ include "uds-velero-config.chart" . }}
+{{ include "uds-velero-config.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "uds-velero-config.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "uds-velero-config.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "uds-velero-config.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "uds-velero-config.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

src/velero/chart/templates/uds-package.yaml

@@ -0,0 +1,27 @@
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: velero
+  namespace: {{ .Release.Namespace }}
+spec:
+  network:
+    allow:
+      # Todo: wide open for now for pushing to s3
+      - direction: Egress
+        podLabels:
+          app.kubernetes.io/name: velero
+        remoteGenerated: Anywhere
+
+      - direction: Egress
+        podLabels:
+          batch.kubernetes.io/job-name: "velero-upgrade-crds"
+        remoteGenerated: KubeAPI
+
+      - direction: Ingress
+        remoteNamespace: monitoring
+        remoteSelector:
+          app: prometheus
+        selector:
+          app.kubernetes.io/name: velero
+        port: 8068
+        description: "Prometheus Metrics"

src/velero/common/zarf.yaml

@@ -0,0 +1,40 @@
+kind: ZarfPackageConfig
+metadata:
+  name: uds-core-velero-common
+  description: "UDS Core Velero Common"
+  url: https://velero.io/
+
+variables:
+  - name: VELERO_BUCKET_PROVIDER_URL
+    description: "S3 compatible object storage service for use with Velero"
+    default: "http://minio.uds-dev-stack.svc.cluster.local:9000"
+  - name: VELERO_BUCKET
+    description: "S3 compatible object storage bucket for use with Velero"
+    default: "uds"
+  - name: VELERO_BUCKET_REGION
+    description: "Region of the bucket for use with Velero"
+    default: "uds-dev-stack"
+  - name: VELERO_BUCKET_KEY
+    description: "Key to use when connecting to the Velero bucket"
+    default: "uds"
+  - name: VELERO_BUCKET_KEY_SECRET
+    sensitive: true
+    description: "Key secret to use when connecting to the Velero bucket"
+    default: "uds-secret"
+
+components:
+  - name: velero
+    required: true
+    charts:
+      - name: uds-velero-config
+        namespace: velero
+        version: 0.1.0
+        localPath: ../chart
+      - name: velero
+        namespace: velero
+        url: https://vmware-tanzu.github.io/helm-charts
+        version: 5.4.1
+        repoName: velero
+        releaseName: velero
+        valuesFiles:
+          - ../values/values.yaml